About the job Information Security and Data Privacy Officer
About Daye
Daye is a leader in gynaecological health innovation, developing diagnostic and digital health technologies that raise the standards of care in womens health. Founded in 2017, weve built vertically integrated R&D and manufacturing capabilities and launched pioneering products including the Diagnostic Tampon, which enables at-home vaginal microbiome, HPV and STI screening.
We handle sensitive health data across multiple jurisdictions (UK, EU, and US), working with healthcare providers such as the NHS and US health systems, and serving tens of thousands of patients globally.
As Daye transitions from a start-up stack to a scalable, regulated healthtech infrastructure, the complexity of our systems has grown significantly. We have an order management system, a GMP/ISO compliant production management system as well as a medical platform that handles sensitive health data across multiple jurisdictions.
Youll join at a time when weve completed our ISO 27001 certification but are now implementing the next phase: embedding defensive programming culture, ongoing white-box penetration testing, and formal security documentation across engineering and operations.
Dayes mission is to close the gender health gap through science, innovation, and trust. Protecting patient data and ensuring clinical-grade security is core to that mission.
About the opportunity
Over the past year, as Daye has scaled across borders and built partnerships with major healthcare systems, our exposure to complex data environments has expanded rapidly spanning patient portals, clinical lab integrations, e-commerce, and third-party logistics.
We are formalising a dedicated information security and data privacy function led by an experienced Information Security and Data Privacy Officer.
This is a pivotal hire to build a robust, forward-looking security infrastructure that protects our users, ensures resilience, and instils confidence in all our partners.
What youll be doing
Security Strategy & Governance
- Define and implement a company-wide information security strategy aligned with Dayes healthcare and diagnostic operations.
- Build and maintain policies and procedures for data governance, cybersecurity, and incident management.
- Conduct ongoing risk assessments and internal audits, reporting findings directly to the executive team.
- Implement policies from our ISO 27001 action plan including mobile device management, VPN enforcement, access controls, secure coding standards, risk management committee oversight, and supplier security reviews.
- Lead development of incident response, escalation, and post-mortem procedures for data or platform-related events.
- Collaborate with CTO to integrate security-by-default principles in product and infrastructure decisions.
Data Protection & Privacy
- Ensure full compliance with GDPR, HIPAA, the UK Data Protection Act, and NHS Digital standards.
- Introduce defensive programming practices throughout the codebase enforcing strict input validation, error handling, and failure logging.
- Standardize secure development practices (role-based access, API key vaults, code reviews, automated security scanning).
- Oversee MDM and endpoint protection deployment across all employee devices.
- Embed privacy-by-design principles into product development and data infrastructure.
- Manage Data Protection Impact Assessments (DPIAs) and oversee responses to subject access or erasure requests.
- Negotiate and monitor data processing agreements and security addenda with vendors and healthcare partners.
Technical Security Implementation
- Design and enforce security controls across our Google Cloud-based infrastructure, API integrations, and clinical data pipelines.
- Oversee secure data integrations with partner labs and clinical institutions, including third-party risk assessments and contractual controls.
- Oversee encryption, authentication, access control, and secure software development practices.
- Implement monitoring and alerting for threats, data leakage, and anomalous access.
- Collaborate with engineering on penetration testing, vulnerability scanning, and DevSecOps adoption.
Compliance, Audits & Healthcare Partnerships
Lead certification, re-certification and audit initiatives for ISO 27001, ISO 13485, and SOC 2 Type II.
Prepare documentation for regulatory audits and partner due diligence (e.g., NHS, EIC and EIB, or US health systems).
Support clinical and research teams in securing study data and maintaining compliant data flows.
Act as the primary point of contact for external security assessments and compliance reviews.
Culture & Leadership
Establish a security-first culture across engineering, operations, and clinical functions.
Lead training initiatives across engineering, manufacturing, and clinical teams, including KnowBe4 phishing simulations, post-incident training, and secure coding refreshers.
Build internal security documentation to support scaling of the engineering team and onboarding of new hires.
Deliver staff training and tabletop exercises on data privacy, phishing prevention, and incident response.
Partner with leadership to make security an enabler of innovation rather than a blocker.
What you need to bring
Experience building or running ISO 27001 or SOC 2 programs, ideally within a startup or medical device context.
Hands-on knowledge of VPN, MDM, endpoint protection, secure development lifecycle (SDLC), and threat modelling.
Ability to translate complex technical risks into actionable business recommendations.
Strong understanding of cloud and API security, network architecture, and database protection.
Experience building or auditing secure clinical data pipelines and electronic lab integrations.
Familiarity with medical device or diagnostic product regulations is a strong plus.
Experience coordinating cross-border data protection programs involving EU and US healthcare systems.
This position is for you if you are:
Highly adaptable and comfortable with high levels of ambiguity;
Obsessed with proactive risk management and can think like both an attacker and a regulator.
Comfortable working in a fast-moving, resource-constrained start-up where processes evolve quickly.
Motivated by building from scratch from policies to infrastructure and seeing your work directly protect patients.
Deeply aligned with Dayes mission to restore trust and transparency in womens health.
Comfortable with working on mundane, as well as strategic tasks;
Obsessed with self-organisation;
Exhibiting high levels of autonomy;
Committed to accuracy and have impeccable attention to detail.
Why join us
Working at Daye, you will be collaborating with a passionate, motivated and international group of top performers. Our team is big enough so you can grow, but lean enough so you can make a real impact. Were always pushing boundaries, for us thats the first step to a fulfilling and rewarding career. We move fast and we are not afraid of making mistakes or adapting. We believe no problem is too big to solve. We also believe everyone is an owner, which gives all of us at Daye the scope and space to grow. For this we offer:
Remuneration - Competitive pay rates with salary reviews once a year;
Growth - Paid training opportunities (e.g. certificates, conference visits);
Flexibility - Work whenever and wherever works best for you;
Work-life balance - 20 days paid vacation per year on top of collective weeks off in August and between Christmas and New Year;
Parental Leave - Generous shared parental leave and return to work policy;
Healthcare - Private health insurance;
Wellness - Free professional coaching, mental health days;
Work environment - Diverse, yet like-minded community, ambitious and driven, yet friendly atmosphere.
How to Apply
Does this role sound like a good fit? Apply today by sending us your CV!
Only shortlisted candidates will be contacted.